12

I do not have knowledge on Spring Impersonating user.

I have gone through some sample code of configuration for impersonating user and noticed that SwitchUserFilter is used for this implementation.

How to implement impersonate user using Spring SwitchUserFilter Filter and how does it works ? What is the internal flow of impersonating user ?

In my application I am using spring security also.

Can anyone please help me with simple description or any sample example to achieve this ?

Sachi-17
  • 499
  • 4
  • 12
  • 29

1 Answers1

30

You first need to create an instance of SwitchUserFilter, like this:

@Bean
public SwitchUserFilter switchUserFilter() {
    SwitchUserFilter filter = new SwitchUserFilter();
    filter.setUserDetailsService(userDetailsService);
    filter.setSuccessHandler(authenticationSuccessHandler);
    filter.setFailureHandler(authenticationFailureHandler());
    return filter;
}

Then, you can add the filter this way:

@Override
protected void configure(HttpSecurity http) throws Exception {

    http
     ...
     .addFilterAfter(switchUserFilter(), FilterSecurityInterceptor.class);

Now, to switch, you can use

POST /login/impersonate?username=loginIdOfTheNewUser

and to switch back

POST /logout/impersonate

Note that it’s your job to ensure that existing user must have enough rights for the switch. A common practice could be to restrict /login/impersonate only to ADMINs, and and /logout/impersonate to authenticated users, like this:

        .authorizeRequests()
            .antMatchers("/login/impersonate*").hasRole("ADMIN")
            .antMatchers("/logout/impersonate*").authenticated()
            .antMatchers("/**").permitAll();

See this for a complete example.

stergipe
  • 125
  • 1
  • 1
  • 11
Sanjay
  • 8,755
  • 7
  • 46
  • 62
  • 1
    does any one did impersonation using oauth2 – Dapper Dan Jul 19 '18 at 18:15
  • Example link 404. – Madbreaks Aug 15 '18 at 23:54
  • calling /logout/impersonate without previously impersonating a user will lead to a 403 access denied error – Seun Matt Apr 22 '19 at 09:05
  • Thanks, but i have a question. is neccesary the `.hasRole("ADMIN")` if i don't use the authorities? – Jesús Sánchez Jul 28 '20 at 00:42
  • 1
    Not necessary, but then anyone can impersonate as anyone AFAIK, and isn't that dangerous? – Sanjay Jul 29 '20 at 21:31
  • Since you are calling the switchUserFilter() method directly to get the filter, shouldn't you remove the @Bean annotation on that method? – splashout Aug 26 '21 at 00:12
  • 1
    Calls to `@Bean` methods in `@Configuration` classes actually don't execute the method, but return the configured bean. So, if we remove the @Bean, the difference will be just that there would be no switchUserFilter bean in the application context. But maybe that's okay. So, probably removing `@Bean` should be just fine. – Sanjay Aug 26 '21 at 09:45
  • Thanks Sanjay. Just curious: do you know If you leave @Bean and call the method, do you end up w/ 2 instances? One in the app context (that may never get used) and another one (not in the app context) that is part of the filter chain... Or is Spring smart enough to know to only create one instance in this case? Thanks! – splashout Sep 01 '21 at 17:43
  • 2
    If you leave the `@Bean`, there should NOT be any instance in the App Context. (But if you have the `@Bean` in the `@Configuration` class, Spring is smart enough to create only one instance, even if you call the method one or more times) – Sanjay Sep 06 '21 at 05:16